Escolar Documentos
Profissional Documentos
Cultura Documentos
executable
re q u e st
Multithreaded thread1 /p e r mit
Instrumented Scheduler
C/C++ Source Code compile with report
programs thread2
programs Transformer request/permit dynamic partial errors
... r mit order reduction
st / p e
threadn r eque
as test drivers. Inspect revealed several data races in the ConTest[28] debugs multithreaded programs by injecting
code. After manually examining the source code, we found context switching code to randomly choose the threads to
that most of the races are benign races. Besides, we also be executed. As randomness does not guarantee all inter-
found that in hashlist, a condition variable is destroyed with- leavings will be explored for a certain input, it is possible
out initialization. This may lead to undefined behaviors. that ConTest can miss bugs.
jCute[29] uses a combination of symbolic and concrete ex-
6.1 Discussion ecution to check a multithreaded Java program by feeding it
Our experiments show that inspect can be very help- with different inputs and replaying the program with differ-
ful in testing and debugging multithreaded C/C++ appli- ent schedules. jCute is more powerful in discovering inputs
cations. However, it also has limitations. First, inspect that can have the program execution take different paths.
needs a set of test cases incorporated in its test driver to get We think the difference between our work and jCute is in the
good coverage of the code being verified. Secondly, runtime implementation part. jCute uses the Java virtual machine
monitoring puts an overhead on the program, especially in to intercept visible operations of a multithreaded Java pro-
programs that have a lot of visible operations on shared gram. Here we use socket communication and an external
data objects. Also, the intrusive instrumentation limits in- scheduler for C/C++ programs.
spect from checking programs that have strict timing re- Helmstetter et al.[30] show how to generate scheduling
quirements. As inspect checks the program’s behavior by based on dynamic partial order reduction. We think that
monitoring the concrete executions of the program, is not the differences between our work and theirs lie in: (i) We
able to check system-level code like RacerX, LockSmith, etc., are focusing on application-level multithreaded C programs,
can do. while they focused on the schedulings of SystemC simula-
It is obvious that to check a program, we must be able tions; and (ii) Instead of generating the scheduling only, our
to concretely execute the program. When doing our exper- work reruns the program and tries to verify safety proper-
iments, however, we also tried running several other open- ties.
source applications. Unfortunately, some problems were en- CHESS[31] is the work which is probably most similar
countered: (i) some programs kept crashing because of other to ours. The difference between CHESS and our work lies
existing bugs; (ii) it is inconvenient to construct a closed in the instrumentation part and how to take control of the
world for server programs such as http servers. Other than scheduling away from the operation system. In CHESS, the
these limitations, we think inspect is a powerful assistant instrumentation allocates a semaphore for each thread that
tool in the process of unit testing and debugging for multi- is created. It also requires an invariant to be preserved:
threaded software. that at any time every thread but one is blocked on its
semaphore. In contrast, we do the instrumentation at the
source code level, and use blocking sockets to communicate
7. OTHER RELATED WORK between scheduler and the threads.
Lei et al.[26] designed RichTest, which used reachability
testing to detect data races in concurrent programs. Reach-
ability testing views an execution of a concurrent program 8. CONCLUSION
as a partially-ordered synchronization sequence. Instead, In this paper, we propose a new approach to model check
dynamic partial order reduction views it as an interleav- safety properties including deadlocks and stuttering invari-
ing of visible operations from multiple threads. Compared ants in multithreaded C/C++ programs. Our method works
with RichTest, inspect focuses on checking multithreaded by automatically enumerating all possible interleavings of
C/C++ programs, and it can detect not only data races, but the threads in a multithreaded program, and forcing these
also deadlocks and other errors. However, inspect cannot interleavings to execute one by one. We use dynamic partial-
yet handle send/receive events between multiple processes. order reduction to eliminate unnecessary explorations. Our
CMC[27] verifies C/C++ programs by using a user-model preliminary results show that this method is promising for
Linux as a virtual machine. CMC captures the virtual ma- revealing bugs in real multithreaded C programs. Finally,
chine’s state as the state of a program. Unfortunately, CMC inspect is available from [25].
is not fully-automated. As CMC takes the whole kernel plus In the future, inspect can be improved in many ways. We
the user space as the state, it is not convenient for CMC to can combine the static analysis techniques with the dynamic
adapt the dynamic partial order reduction method. partial order reduction to further reduce the number of in-
terleavings we need to explore to reveal errors. Inspect can [15] Patrice Godefroid. Model checking for programming
also adapt more efficient algorithms such as Goldilocks[32] languages using verisoft. In POPL, pages 174–186, 1997.
for computing happen-before relations to improve efficiency. [16] David R. Butenhof. Programming with POSIX Threads.
The automated instrumentation part can be improved by Addison-Wesley, 1998.
employing more efficient and precise pointer-alias analysis. [17] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled.
Model Checking. MIT Press, 2000.
Acknowledgments: We thank Subdoh Sharma for help- [18] Patrice Godefroid. Partial-Order Methods for the
ing implement the escape analysis part, and Sarvani Vakkalanka Verification of Concurrent Systems: An Approach to the
State-Explosion Problem. Springer-Verlag New York, Inc.,
for comments. This work is funded by NSF CNS-0509379,
Secaucus, NJ, USA, 1996. Foreword By-Pierre Wolper.
SRC 2005-TJ-1318, and a grant from Microsoft. [19] Alexandru Salcianu and Martin Rinard. Pointer and escape
analysis for multithreaded programs. In PPoPP ’01:
9. REFERENCES Proceedings of the eighth ACM SIGPLAN symposium on
[1] Cormac Flanagan and Patrice Godefroid. Dynamic Principles and practices of parallel programming, pages
partial-order reduction for model checking software. In Jens 12–23, New York, NY, USA, 2001. ACM Press.
Palsberg and Martı́n Abadi, editors, POPL, pages 110–121. [20] http://manju.cs.berkeley.edu/cil/.
ACM, 2005. [21] http://freshmeat.net/projects/aget/.
[2] Stefan Savage, Michael Burrows, Greg Nelson, Patrick [22] http://freshmeat.net/projects/pfscan.
Sobalvarro, and Thomas Anderson. Eraser: a dynamic data [23] http://tplay.sourceforge.net/.
race detector for multithreaded programs. ACM Trans. [24] http://cprops.sourceforge.net/.
Comput. Syst., 15(4):391–411, 1997.
[25] http://www.cs.utah.edu/∼yuyang/inspect.
[3] Nicholas Nethercote and Julian Seward. Valgrind: A
program supervision framework. Electr. Notes Theor. [26] Yu Lei and Richard H. Carver. Reachability testing of
Comput. Sci., 89(2), 2003. concurrent programs. IEEE Trans. Software Eng.,
32(6):382–403, 2006.
[4] Jong-Deok Choi, Keunwoo Lee, Alexey Loginov, Robert
O’Callahan, Vivek Sarkar, and Manu Sridharan. Efficient [27] Madanlal Musuvathi, David Y. W. Park, Andy Chou,
and precise datarace detection for multithreaded Dawson R. Engler, and David L. Dill. Cmc: A pragmatic
object-oriented programs. In Proceedings of the ACM approach to model checking real code. In OSDI, 2002.
SIGPLAN Conference on Programming language design [28] Orit Edelstein, Eitan Farchi, Evgeny Goldin, Yarden Nir,
and implementation, pages 258–269, New York, NY, USA, Gil Ratsaby, and Shmuel Ur. Framework for testing
2002. ACM Press. multi-threaded java programs. Concurrency and
[5] Dawson Engler and Ken Ashcraft. Racerx: effective, static Computation: Practice and Experience, 15(3-5):485–499,
detection of race conditions and deadlocks. In SOSP ’03: 2003.
Proceedings of the nineteenth ACM symposium on [29] Koushik Sen and Gul Agha. Concolic testing of
Operating systems principles, pages 237–252, New York, multithreaded programs and its application to testing
NY, USA, 2003. ACM Press. security protocols. Technical Report
[6] Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, UIUCDCS-R-2006-2676, University of Illinois at Urbana
Champaign, 2006.
Greg Nelson, James B. Saxe, and Raymie Stata. Extended
static checking for java. In Proceedings of the ACM [30] Claude Helmstetter, Florence Maraninchi, Laurent
SIGPLAN Conference on Programming language design Maillet-Contoz, and Matthieu Moy. Automatic generation
and implementation, pages 234–245, New York, NY, USA, of schedulings for improving the test coverage of
2002. ACM Press. systems-on-a-chip. fmcad, 0:171–178, 2006.
[7] Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. [31] http://research.microsoft.com/projects/CHESS/.
Locksmith: context-sensitive correlation analysis for race [32] Tayfun Elmas, Shaz Qadeer, and Serdar Tasiran.
detection. In Proceedings of the ACM SIGPLAN conference Goldilocks: Efficiently computing the happens-before
on Programming language design and implementation, relation using locksets. In Formal Approaches to Software
pages 320–331, New York, NY, USA, 2006. ACM Press. Testing and Runtime Verification, LNCS, pages 193–208,
[8] Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Berlin, Germany, 2006. Springer.
Race checking by context inference. In PLDI ’04:
Proceedings of the ACM SIGPLAN 2004 conference on
Programming language design and implementation, pages
1–13, New York, NY, USA, 2004. ACM Press.
[9] Robby, Matthew B. Dwyer, and John Hatcliff. Bogor: an
extensible and highly-modular software model checking
framework. In ESEC / SIGSOFT FSE, pages 267–276,
2003.
[10] Sagar Chaki, Edmund M. Clarke, Alex Groce, Somesh Jha,
and Helmut Veith. Modular verification of software
components in c. In ICSE, pages 385–395. IEEE Computer
Society, 2003.
[11] Tony Andrews, Shaz Qadeer, Sriram K. Rajamani, Jakob
Rehof, and Yichen Xie. Zing: A model checker for
concurrent software. In Computer Aided Verification, 16th
International Conference, CAV 2004, Boston, MA, USA,
July 13-17, 2004, Proceedings, volume 3114 of Lecture
Notes in Computer Science, pages 484–487. Springer, 2004.
[12] Willem Visser, Klaus Havelund, Guillaume P. Brat, and
Seungjoon Park. Model checking programs. In ASE, pages
3–12, 2000.
[13] Gerard J. Holzmann. The Spin Model Checker: Primer and
Reference Manual. Addison-Wesley, 2004.
[14] http://nescc.sourceforge.net/.